HIV Scotland fined £10,000 for BCC email blunder identifying names of virus-carriers' patient-advocates The United Kingdom's data watchdog is calling on organisations to review their "bulk email practices" after a BCC blunder by HIV Scotland incurred a £10,000 fine for breaking data protection regulations. The case pertains to an email that was sent to 105 individuals on the Community Advisory Network (CAN) list, which is made …
Charities are full of people with good intentions and not much know-how, especially when it comes to technical matters.
A few years ago my daughter had the intention of joining the International Red Cross for the summer and go help build housings in tsunami-devastated areas.
She came back with a sobering answer : no, because the IRC had already seen the effect of groups of well-intentioned idiots fouling everything up and ruining the projects, so now they only take experienced people on such drives.
It seems that HIV Scotland is going to learn to revamp its mailing section and ensure that only properly-trained people who know what they are doing are in charge of mailings, and that is contrary to the basics of a charity where people expect their good will should be enough.
Well sometimes it isn't.
Well it isn't
I'd expect anyone handling personal data to have training, especially in a registered charity: it's pretty fundamental to their operation.
However, it would help mitigate careless errors if MTAs had sensible defaults. It's extremely unlikely that CCing more than a handful of people is ever useful and perhaps anyone trying to do so should get an email back explaining why.
Hopefully "lessons have been learned", but is giving special category data / sensitive personal data (email addresses of people with a health condition) to the US-based bunch of chimps to send the emails instead (probably with all kinds of hideous invasive tracking codes embedded) really very much better?
We all know what a bunch of tosh Safe Harbor Privacy Shield whatever it is this month is, and about the general paucity of US data protection laws...
What are the chances of these people now seeing all sorts of advertising for specific drugs in all sorts of places on the net now (is it even legal to advertise prescription drugs in the UK), at the very least?
I'm wondering what is so special about this particular "BCC" mistake that ICO decided to fine *them* when they've previously not fined other organisations for similar breaches of special category personal data. CC-rather-than-BCC type leaks are being reported almost weekly in the UK and such leaks of special category data on almost a monthly basis.
Is the fine because ICO discovered that HIV Scotland realised months before the "leak" that their data handling was not adequate? If so does this mean that ICO are effectively telling orgs that the safest approach is a "don't check" approach - if you don't review your org's compliance then you won't spot any issues so if/when a leak occurs you then won't get fined (or fined less) as you didn't know about issues? If effect, ignorance is bliss?
Also it's surprising that ICO seems to think that HIV Scotland's switch to Mailchip is apparently not an issue. Mailchimp is USA-hosted so personal data held by HIV Scotland will be transferred to USA yet with the Schrems II judgement this would not appear to be UK GDPR compliant. For example in Germany they think it is not: https://edpb.europa.eu/news/national-news/2021/bavarian-dpa-baylda-calls-german-company-cease-use-mailchimp-tool_en
As techies, we know what cc: and bcc: mean, and, more importantly, the subtle but important difference between them, but, apart from us, it is ironically probably only people over 65 who actually know what carbon paper is and what it was used for!
So I can have a little sympathy for a perhaps less technically minded office worker easily being confused between the two: you're faced with two very similar looking and confusing acronyms, you recall they were something about copying to multiple recipients, but you can't remember which was which, or perhaps even recall that there was an important difference (it's just technical mumbo-jumbo to you, after all, and you either haven't been trained well or had a refresher recently, and have forgotten)…
(Although this brings up the all-too-often unanswered or never-asked question as to why "business" thinks it's acceptable for tasks which definitely do require a modicum of technical awareness and organised common sense, and, yes, skill, to be done by people who sometimes lack those skills - part of the foolish 'not professional roles' regard in which admin roles are often seen by so-called higher-ups, when we all know that a professional, skilled and organised admin team holds an organisation together just as much as any of our computer systems do.)
But because we all know this is a big risk, every organisation should, at the least, be putting in suitable Data Protection training for new employees before they get anywhere near handling Personal Data, refresher training as needed, even something as simple as stickers on monitors ("bcc: copies the message and hides recipients' addresses from each other" - this, and its opposite, should really be tool-tips in email clients, of course, kudos to Evolution for doing just that!), and, of course the better solution, making it technically impossible to make that sort of mistake by using mailing list management software instead.
You can't use Exchange to force senders to use Bcc rather than Cc, but you can set it to have a maximum total number of recipients. Of course, a limit that would prevent this sort of disaster might also stop the boss sending essential Monday morning motivational emails to all staff and volunteers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
